Merge pull request #10989 from Security-Onion-Solutions/issue/10973

Issue/10973

salt/idstools/enabled.sls

@@ -69,6 +69,14 @@ so-rule-update:
     - minute: '1'
     - hour: '7'
 
+run_so-rule-update:
+  cmd.run:
+    - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1'
+    - require:
+      - docker_container: so-idstools
+    - onchanges:
+      - file: idstoolsetcsync
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/idstools/sync_files.sls

@@ -26,6 +26,13 @@ rulesdir:
     - group: 939
     - makedirs: True
 
+SOrulesdir:
+  file.directory:
+    - name: /opt/so/rules/nids/sorules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 # Don't show changes because all.rules can be large
 synclocalnidsrules:
   file.recurse:
@@ -35,3 +42,13 @@ synclocalnidsrules:
     - group: 939
     - show_changes: False
     - include_pat: 'E@.rules'
+
+# Don't show changes because all.rules can be large
+syncnidsSOrules:
+  file.recurse:
+    - name: /opt/so/rules/nids/sorules
+    - source: salt://idstools/sorules/
+    - user: 939
+    - group: 939
+    - show_changes: False
+    - include_pat: 'E@.rules'

salt/strelka/filestream/config.sls

@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'strelka/map.jinja' import STRELKAMERGED %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'strelka/map.jinja' import filecheck_runas %}
 
 include:
@@ -78,6 +79,46 @@ filecheck_script:
     - group: 939
     - mode: 755
 
+filecheck.log:
+  file.managed:
+    - name: /opt/so/log/strelka/filecheck.log
+    - user: {{ filecheck_runas }}
+    - group: {{ filecheck_runas }}
+
+filecheck_stdout.log:
+  file.managed:
+    - name: /opt/so/log/strelka/filecheck_stdout.log
+    - user: {{ filecheck_runas }}
+    - group: {{ filecheck_runas }}
+
+{% if GLOBALS.md_engine == 'ZEEK' %}
+
+filecheck_run_socore:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run_socore
+    - user: socore
+
+remove_filecheck_run_suricata:
+  cron.absent:
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+{% elif GLOBALS.md_engine == 'SURICATA'%}
+
+filecheck_run_suricata:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+remove_filecheck_run_socore:
+  cron.absent:
+    - identifier: filecheck_run_socore
+    - user: socore
+
+{% endif %}
+
 filecheck_restart:
   cmd.run:
     - name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
@@ -85,12 +126,7 @@ filecheck_restart:
     - success_retcodes: [0,1]
     - onchanges:
       - file: filecheck_script
-
+      - file: filecheck_conf
-filecheck_run:
-  cron.present:
-    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
-    - identifier: filecheck_run
-    - user: {{ filecheck_runas }}
 
 filcheck_history_clean:
   cron.present:

salt/suricata/defaults.yaml

@@ -416,7 +416,6 @@ suricata:
         enabled: "yes"
         filename: keyword_perf.log
         append: "yes"
-    
       prefilter:
         enabled: "yes"
         filename: prefilter_perf.log